Oracle Database 12c Release 1 (12.1) supports Windows services to run under low-privileged, non-administrative accounts such as the LocalService, or an authenticated Windows User Account instead of the high-privileged Local System Account (LSA) for better security.
Starting with Oracle Database 12c Release 1 (12.1), ORADIM creates Oracle Database service, Oracle VSS Writer service, and Oracle Scheduler service to run under the Oracle Home User account. Oracle Home User is the standard Windows User Account (not an Administrator), specified during installation, that runs most of the Windows services required by Oracle for Oracle home.
If this Oracle Home User is a Windows Local User Account or Windows Domain User Account, then ORADIM prompts for password for that account and accepts the same through stdin.
Note:
Refer to section "About Creating and Starting an Oracle Database Service" and "About Ways to Manage Oracle Database Services" for more information.All Oracle administration tools that create Windows services have been modified to prompt for the password of Oracle Home User when the Oracle Home User is a Windows Local User Account or a Windows Domain User Account, and the password for Oracle Home User is not stored in the Oracle Wallet.
This section discusses the following topics in detail:
Depending on the type of database installation and user account used as the Oracle Home User, Windows services run under a low-privileged, non-administrative accounts such as LocalService, or an authenticated Windows User Account, or as a high-privileged Local System Account (LSA) in Oracle home.
Table C-1 Running Windows Services
| Type of Installation | Oracle Home User | Windows Service User for the Services |
|---|---|---|
|
Oracle Database Server |
Windows User Account |
Windows User Account |
|
Oracle Database Server |
Built-in Account |
Local System Account |
|
Oracle Database Client |
Windows User Account |
Windows User Account |
|
Oracle Database Client |
Built-in Account |
LocalService |
|
Oracle Grid Infrastructure (with the Grid Infrastructure Management Repository) |
Windows User Account |
Grid Listeners using LocalService Database services using Windows User Account Foot 1 Clusterware services using Local System Account |
|
Oracle Grid Infrastructure (without the Grid Infrastructure Management Repository) |
Built-in Account |
Grid Listeners using LocalService Clusterware services using Local System Account |
Footnote 1 Clusterware requires administrative privileges so it always uses Local System Account to run Windows services.
Certain functions performed by the Oracle Database service require additional privileges. Oracle Universal Installer and other Oracle tools automatically grant the following privileges to the Windows service SIDs of the respective services during the creation of these services:
SeIncreaseBasePriorityPrivilege: A process requires this privilege to change the priority of its threads. This privilege is granted to Windows service SIDs of Oracle Automatic Storage Management (Oracle ASM) or Oracle Database services.
SeBackupPrivilege: This privilege is required to perform backup operations. It is granted to the Windows service SIDs of Oracle VSS Writer service.
SeBatchLogonRight: This privilege is required for an account to log on using the batch logon type. It is granted to the Windows service SIDs of Oracle Scheduler service.
To enable Oracle Database to use Large Pages or working set features, the following additional operating system privileges must be manually granted by the operating system administrator to either the Oracle Home User or to the Windows service SIDs of the specified Oracle Database service during the creation of these services.
Oracle recommends granting privileges to the Windows service SID of Oracle Database service instead of the Oracle Home User. The Windows service SID of the database service will be in the following syntax NT AUTHORITY\OracleServiceSID.
SeLockMemoryPrivilege: This privilege is required to lock pages in memory. Oracle Database requires this privilege to use Large Pages. See "Overview of Large Page Support" for more information.
SeIncreaseQuotaPrivilege: This privilege is required to change the memory quota for a process. This is needed while setting the max and min working set sizes for the database.
To grant an operating system privilege to a specific user, perform the following steps:
From the Start menu, select Control Panel.
Double-click Administrative Tools.
Double-click Local Security Policy.
In the left pane of the Local Security Policy window, expand Local Policies and select User Rights Assignment.
In the right pane of the Local Security Policy window, double-click the relevant user privilege. For example, select Adjust memory quotas for a process to change the memory quota for a process or select Lock pages in memory to use Large Pages.
Click Add User or Group.
Enter the Oracle Home User name in Enter the object names to select field and click Check Names.
Click OK to close the Select Users, Computers, Service Accounts, or Groups dialog box.
Click OK to close the Properties window for the privilege.